Streama Path Traversal and SSRF Vulnerability Allowing Arbitrary File Write

A vulnerability combining path traversal and server-side request forgery (SSRF) has been identified in Streama versions 1.10.0 through 1.10.5, prior to commit b7c8767. This vulnerability allows authenticated attackers to write arbitrary files to the server filesystem. The issue arises in the subtitle download feature, where user-controlled parameters are used to fetch remote content and create file paths without adequate validation. By sending a crafted subtitle download URL along with a path traversal sequence in the file name, an attacker can manipulate file locations on the server, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows authenticated users to write files to any location on the server where the application user has access. This could include overwriting critical files, such as configuration or database files, leading to data loss or application disruption. The SSRF component could be used to access internal services or cloud metadata endpoints. While the vulnerability does not directly lead to remote code execution, such a result could be achieved under certain conditions, such as writing a malicious cron job or modifying executable files.

Reproduction

To reproduce this vulnerability, authenticate with the default admin credentials. Then, upload a GZIP file containing the desired payload to a public file hosting service. After uploading, send a POST request to the '/subtitles/download' endpoint. Include the uploaded file's URL in the 'subDownloadLink' parameter, a crafted file name that exploits the path traversal vulnerability in the 'subFileName' parameter, and a valid 'videoId'. The server will fetch the file via the provided URL, extract it, and write it to the location specified by the path traversal, effectively allowing arbitrary file writes on the server.

Remediation

Users can update to Streama version 1.10.6 or later, where this vulnerability has been patched. The patch includes validation to prevent path traversal and SSRF attacks in the subtitle download feature.